RCE Unsecure Jenkins Instance | Bug Bounty POC

RCE Unsecure Jenkins Instance | Bug Bounty POC

Honestly i was just getting bored and the blog wasn’t updated ina while so i decided to write this (Will share some more recent issues in a few days 🙂 )

So i want this Write Up to be concise.. to Let’s Just say I was checking subdomains of a site and found a subdomain jenkins-thor.dosomething.org

so By Name i got that it Must be a Jenkins Instance so i opened that subdomain and got redirected to Github Login Page

But the jenkins instant lac any kind of security for user as i visited it i simply Asks me to login to jenkins Instant using my Github account, As soon as loged inn to your jenkins instant i had complete admin access to your jenkins instant, and i was on the Users Page Like

Now As Many of you guys already know that Jenkins Instance have a Script page where a user can go and Execute Groovy Script and You can also install a Plugin called Terminal for it

Note: The Issue was Reported and is been Migrated the Blog was written after getting Permission from the CTO Matt ( https://twitter.com/mshmsh5000 ) 🙂 and also the site DoSomething Don;t have a Bug Bounty Program Anymore so Kindly avoid any kind of testing.